The National Institute of Standards and Technology (NIST) has published a definition of "critical software" as a response to the May 2021 Presidential executive order (EO) on improving the cybersecurity of the federal government. Section 4 of the EO directs the Secretary of Commerce, through NIST, to consult with federal agencies, the private sector, academia, and other stakeholders in identifying or developing standards, tools, best practices, and other guidelines to assist software developers in enhancing software supply chain security.
NIST has also published comments received in response to its Enhancing Software Supply Chain Security: Workshop and Call for Position Papers on Standards and Guidelines. Several organizations submitted comments, including the ANSI National Accreditation Board (ANAB), which noted in its response that it is prepared to work with NIST and other agencies in providing educational opportunities to aid in a better understanding of how conformity assessment can benefit the development of schemes to enhance software supply chain security (pilot programs).
In addition to soliciting position papers from the community, NIST hosted a virtual workshop to gather input and consulted with Cybersecurity and Infrastructure Security Agency (CISA), the Office of Management and Budget (OMB), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) to develop the definition, the concept of a phased implementation, and a preliminary list of common categories of software that would fall within the scope for the initial phase.
With its paper, NIST has released a table illustrating the application of the definition of EO-critical software to the scope of the recommended initial implementation phase. NIST reports that CISA will provide the authoritative list of software categories in the future.
Access the specific definition of critical software in a NIST white paper, Definition of Critical Software Under Executive Order (EO) 14028, on NIST’s website.